35 matches found
PT-2026-44195
A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been...
Keycloak 代码问题漏洞
Keycloak is an open-source identity and access management solution developed by Keycloak. Keycloak has code-related vulnerabilities. These vulnerabilities arise when the revokeRefreshToken=true setting is enabled, and persistent session storage is used. A server restart can reset the internal...
Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory
A flaw was found in Spring Boot. A local attacker on the same host as the application may be able to take control of the ApplicationTemp directory due to predictable temporary directory handling. When the server.servlet.session.persistent setting is enabled and the attack persists across...
PHP 资源管理错误漏洞
PHP is an open-source scripting language executed on the server side. Versions of PHP prior to 8.2.31, 8.3.31, 8.4.21, and 8.5.6 contained a resource management vulnerability. This vulnerability occurred when the SoapServer was configured as SOAPPERSISTENTSESSION. In such cases, the processing...
Improper Control Of Temporary Directory Access
org.springframework.boot, spring-boot is vulnerable to improper control of temporary directory access. The vulnerability is due to inadequate ownership verification of the ApplicationTemp directory when persistent sessions are enabled, which allows a local attacker to gain control of the director...
Spring Boot accepts predictable temp directory without ownership verification
A local attacker on the same host as the application may be able to take control of the directory used by ApplicationTemp. When server.servlet.session.persistent is set to true and the attack persists across application restarts, this may allow the attacker to read session information and hijack...
CVE-2026-40973
A local attacker on the same host as the application may be able to take control of the directory used by ApplicationTemp. When server.servlet.session.persistent is set to true and the attack persists across application restarts, this may allow the attacker to read session information and hijack...
CVE-2026-40973
The CVE-2026-40973 issue affects Spring Boot versions 4.x (4.0.0–4.0.5 with fix in 4.0.6), 3.5.x (3.5.0–3.5.13 with fix 3.5.14), 3.4.x (3.4.0–3.4.15 with fix 3.4.16), 3.3.x (3.3.0–3.3.18 with fix 3.3.19), and 2.7.x (2.7.0–2.7.32 with fix 2.7.33). The vulnerability stems from the ApplicationTemp m...
CVE-2026-40973
A local attacker on the same host as the application may be able to take control of the directory used by ApplicationTemp. When server.servlet.session.persistent is set to true and the attack persists across application restarts, this may allow the attacker to read session information and hijack...
CVE-2026-40973
A local attacker on the same host as the application may be able to take control of the directory used by ApplicationTemp. When server.servlet.session.persistent is set to true and the attack persists across application restarts, this may allow the attacker to read session information and hijack...
CVE-2026-40973
A local attacker on the same host as the application may be able to take control of the directory used by ApplicationTemp. When server.servlet.session.persistent is set to true and the attack persists across application restarts, this may allow the attacker to read session information and hijack...
PT-2026-35545
A local attacker on the same host as the application may be able to take control of the directory used by ApplicationTemp. When server.servlet.session.persistent is set to true and the attack persists across application restarts, this may allow the attacker to read session information and hijack...
GO-2026-4551 Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change in code.vikunja.io/api
Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change in code.vikunja.io/api...
GHSA-3CCG-X393-96V8 Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change
Summary The application allows users to set weak passwords e.g., 1234, password without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An attacker who compromises an account via brute-force or credential stuffing can mainta...
EUVD-2026-8751
Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change...
Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change
Summary The application allows users to set weak passwords e.g., 1234, password without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An attacker who compromises an account via brute-force or credential stuffing can mainta...
CVE-2026-27575
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords e.g., 1234, password without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An...
CVE-2026-27575 Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords e.g., 1234, password without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An...
CVE-2026-27575 Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords e.g., 1234, password without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An...
CVE-2026-27575 Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords e.g., 1234, password without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An...